I block the ASN address ranges of a large number of server rental companies as a lot of "bad actors" use these servers to perform port scans and brute force attacks.
ASN_LIST.txt
--> list of the ASNs I block on my Fortigate SSL VPN loop back interface. This is the list of ASNs that the ASN_block_lists_all.php
script pulls.
ASN_block_lists_all.php
--> script I use to pull all of the IP address details for all ASNs in ASN_LIST.txt
and save the results into asn_blockX.Y.txt
files so I can use my fortigate's external threat feeds to import the results. The script downloads (as of 12/9/2024) 66,097 subnet ranges, some of the ranges go as large as a /10 subnet!
asn_blockX.Y.txt
--> these are the resulting files made when running the ASN_block_lists_all.php
script. any one Fortigate external threat feed can only handle 131,000 entries, and the script ensures the files are maxed out and aggregates everything into as few files as possible
manual_block_list.txt
--> list of IPs that have tried to force a username/password on my fortigate but their ASN is a large telecomm provider and I do not wish to block the entire ASN. this is used on my Fortigate SSL_VPN loop back interface
While the fortigate firewalls do have built in web-filters for advertisements and known malicious actors, it is not blocking everything I would like it to. As such I wanted to use the plethora of Pie-Hole block lists, especially the lists at this amazing site https://firebog.net/. The issue is that these lists are not formatted in the way the Fortigate external threat feeds will accept. As a result I made a script that will download all of the separate lists, format the entries to be compatible with the external threat feeds, and save the entries into separate files with 131,000 entries per file since that is the limit of the threat feeds.
DNS_block_lists_all.php
COMBINED with webblock.sh
--> The PHP script that pulls the domain names used in multiple Pie-Hole DNS block lists. The script formats the data in a way compatible with the fortigate since pie hole lists are formatted as HOST files. The PHP script itself then activates the webblock.sh
file to perform a little more filtering, but most importantly to remove duplicate entries. For example, currently the PHP script downloads (as of 11/24/2024) 2,251,997 entries and after removing duplicates, has 1,643,868 unique entries being blocked.
I then use the WEB filter profile within my Fortigate firewall with the resulting web_blockX.txt
files as external threat feed to block significant amounts of ads, tracking, and malicious sites on top of what fortinet already blocks. Refer to SSL_VPN Config with loopback and auto-block.txt
for how I configured my Fortigate SSLVPN.
web_blockX.txt
--> these are the resulting files made when running the DNS_block_lists_all.php
script. any one Fortigate external threat feed can only handle 131,000 entries, and the script ensures the files are maxed out and aggregates everything into as few files as possible. As of 11/24/2024, there are 13x files starting from web_block0.txt
through web_block12.txt
.
To increase the security of the VPS I am using i also want to be able to use my ASN lists so I can add IP addresses to the ufw firewall to block connections, but I needed a easy way to add and or remove entries from the firewall as required.
fw_update.sh
was written to allow for this.
If ASN based blocking is not desired, it can be turned off by setting the script variable block_ASN=1
from a value of 1 to a value of 0.
The script will also download many different country code IPv4 IP ranges to allow for Geo based blocking. I have disabled all IPv6 incoming connections to my VPS, so I am not downloading the IPv6 addresses ranges. Currently the script downloads ALL countries IPv4 ranges EXCEPT for the United states and Germany. The US because that is the country I live in, but did not want to block Germany as Hetzner is a German company and I did not want to risk issues.
The script gets the needed Geo IP ranges from this repository: https://github.com/herrbischoff/country-ip-blocks/tree/master
If Geo based blocking is not desired, it can be turned off by setting the script variable block_geo=1
from a value of 1 to a value of 0.
If IPv6 incoming connections are not being allowed at all, like I am with my VPS, then keep the variable ipv6=0
set to 0. If you wish to use IPv6, then set this variable to 1.
to see what the script will attempt to do to your system's UFW configuration without actually applying those changes, set the variable test_mode=0
to a value of 1. The script will output what it is doing, but not actually make changes to UFW.
when this script is run, it will download all of the ASN and Geo block files, aggregate them into one file, and check each address to see if it currently being blocked by UFW. If it NOT currently being blocked, then it will be added to your UFW config as a "DENY IN" to "ANYWHERE"
the second thing the script will do is compare all of the DENY IN entries in the UFW configuration and confirm they are still part of the ASN/GEO block lists. If the entry is NOT in those lists, then it will be removed. This is to ensure as those lists update over time, both new addresses will be added, but old addresses will be removed as well from your configuration.
Any "ALLOW IN" entries on the UFW fire wall will be ignored by this script.
running this script for the first time will take DAYS TO COMPLETE as well over 100,000 entries will be added! The process starts out somewhat fast, but as more entries are added, it takes the UFW subsystem longer and longer to add new additional entries slowing the process down. Just let the script run.
After the first time it is run, It is suggested to add a line to crontab to run the script once per month, this should only take a few minutes to an hour or two depending on how many addresses need to be added or removed from your UFW configuration.
SSL_VPN Config with loopback and auto-block.txt
is my entire working fortigate SSLVPN configuration. This allows for auto-blocking of ~20 of the most common user name brute force attempts. It blocks be geography, blocks all of the Internet Service Database (ISDB) entries, and blocks all of the entries in this repo's ASN list to reduce the number of attempts to attack the SSL VPN gateway. some items have been removed like internal IP addresses, so read carefully and ensure you properly replace the required lines to match your configuration.
The key to the fortiagte blocking everything we want is to use a loop back interface. This re-routes the WAN traffic through regular polices so we are able to perform ACCEPT or DENY actions using ISDB, address groups, external threat feeds etc.
to create your loop back copy the following code:
config system interface
edit "WAN_to_LOOPBACK"
set vdom "root"
set ip 10.10.20.1 255.255.255.255
set allowaccess ping
set type loopback
set role lan
set snmp-index 38
config ipv6
set ip6-address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
end
next
end
the IP address 10.10.20.1 255.255.255.255
is the address I am assigning the loopback. It can really be any address you want, but should not be publicly rout-able. The same needs to be done with the IPv6 address set ip6-address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
, you need to choose an IP address to assign to this interface. Later we will be doing more with these addresses.
Over time I noticed that there were common user names being used to attempt brute force log ins. Those user names were:
1.) admin/Admin
2.) fax/Fax
3.) fortigate/Fortigate
4.) fortinet/Fortinet
5.) guest/Guest
6.) kiosk/Kiosk
7.) printer/Printer
8.) receiving/Receiving
9.) scanner/Scanner
10.) sslvpn
11.) teacher/Teacher
12.) test/Test
13.) voicemail/Voicemail
14.) (no user name entered at all) --> when no user name is entered, the system returns "N/A"
15.) report/Report
16.) general/General
17.) frontdesk/Frontdesk
18.) tech/Tech
19.) support/Support
20.) security/Security
21.) host/Host
22.) store/Store
23.) library/Library
24.) client/Client
25.) None of the user names I use have a "." like "john.doe" so for me at least any user name with a "." is to be blocked
26.) user/User
If you notice, I have both upper and lower case here, to achieve this, for the username field I have to use a wildcard. For example for admin/Admin I use set value "*dmin*"
. This allows me to get the upper and lower case of admin/Admin. PLEASE NOTE: ENSURE NONE OF YOUR USER NAMES HAVE THE STRING dmin
AS THOSE WILL BE CAUGHT BY THIS.
below are all of my automation TRIGGERS. I have to have one trigger per user name as FortiOS only allows "AND" and not "OR" for user name.
config system automation-trigger
edit "SSLVPN_Connection"
set event-type event-log
set logid 39947 39424
next
edit "SSL_LOGIN_FAIL_admin"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*dmin*"
next
end
next
edit "SSL_LOGIN_FAIL_fax"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ax*"
next
end
next
edit "SSL_LOGIN_FAIL_fortigate"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ortigate*"
next
end
next
edit "SSL_LOGIN_FAIL_fortinet"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ortinet*"
next
end
next
edit "SSL_LOGIN_FAIL_guest"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*uest*"
next
end
next
edit "SSL_LOGIN_FAIL_kiosk"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*iosk*"
next
end
next
edit "SSL_LOGIN_FAIL_printer"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*rinter*"
next
end
next
edit "SSL_LOGIN_FAIL_receiving"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*eceiving*"
next
end
next
edit "SSL_LOGIN_FAIL_scanner"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*canner*"
next
end
next
edit "SSL_LOGIN_FAIL_sslvpn"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*slvpn*"
next
end
next
edit "SSL_LOGIN_FAIL_teacher"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*eacher*"
next
end
next
edit "SSL_LOGIN_FAIL_test"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*est*"
next
end
next
edit "SSL_LOGIN_FAIL_voicemail"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*oicemail*"
next
end
next
edit "SSL_LOGIN_FAIL_NA"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "N/A"
next
end
next
edit "SSL_LOGIN_FAIL_report"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*eport*"
next
end
next
edit "SSL_LOGIN_FAIL_general"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*eneral*"
next
end
next
edit "SSL_LOGIN_FAIL_frontdesk"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*rontdesk*"
next
end
next
edit "SSL_LOGIN_FAIL_tech"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ech*"
next
end
next
edit "SSL_LOGIN_FAIL_support"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*upport*"
next
end
next
edit "SSL_LOGIN_FAIL_security"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ecurity*"
next
end
next
edit "SSL_LOGIN_FAIL_host"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ost*"
next
end
next
edit "SSL_LOGIN_FAIL_store"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*tore*"
next
end
next
edit "SSL_LOGIN_FAIL_library"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ibrary*"
next
end
next
edit "SSL_LOGIN_FAIL_client"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*lient*"
next
end
next
edit "SSL_LOGIN_FAIL_dot"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*.*"
next
end
next
edit "SSL_LOGIN_FAIL_USER"
set description "SSL_LOGIN_FAIL"
set event-type event-log
set logid 39426
config fields
edit 1
set name "user"
set value "*ser*"
next
end
next
end
Next we have the automation actions. We have three actions, one is to add the offending IP address to an IP address object and to add that address object to our address group used for blocking. The second action is to send an email notification about the address being blocked. The third is to send notifications when a successful SSL-VPN connection is made.
The address object created uses the following format: SSL_VPN_Block_%%log.remip%%
. So if the offending IP address is "11.22.33.44" then the address object will be named SSL_VPN_Block_11.22.33.44
. This address object is then added to an address group named Block_SSL_Failed
which will be used in the loop back interface.
Ensure the to and from email addresses are configured correctly. Also ensure that your fortigate is properly configured to send emails (that is not included in this config). Finally ensure the email subject is as desired.
config system automation-action
edit "SSL_Connection"
set action-type email
set email-to "[email protected]"
set email-from "[email protected]"
set email-subject "New SSL Connection"
next
edit "Block_SSL_Failed"
set description "Block_SSL_Failed"
set action-type cli-script
set script "config firewall address
edit SSL_VPN_Block_%%log.remip%%
set subnet %%log.remip%%/32
end
config firewall addrgrp
edit Block_SSL_Failed
append member SSL_VPN_Block_%%log.remip%%
end"
set accprofile "super_admin"
next
edit "SSL_VPN_Block"
set description "SSL_VPN_Block"
set action-type email
set email-to "[email protected]"
set email-from "[email protected]"
set email-subject "SSL VPN IP Auto Blocked"
set message "%%log.remip%% address has been added to the address group \"Block_SSL_Failed\" while using the following username: \"%%log.user%%\".
The results of the CLI script were:
%%results%%"
next
end
Next we have our actual automation stitches which will utilize our triggers and actions. Unfortunately we need a separate sticth per user name trigger since we are not allowed to use "OR" logic in the triggers.
config system automation-stitch
edit "SSL_Connection"
set trigger "SSLVPN_Connection"
config actions
edit 1
set action "SSL_Connection"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_admin"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_admin"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_fax"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_fax"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_fortigate"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_fortigate"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_fortinet"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_fortinet"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_guest"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_guest"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_kiosk"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_kiosk"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_printer"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_printer"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_receiving"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_receiving"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_scanner"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_scanner"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_sslvpn"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_sslvpn"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_teacher"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_teacher"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_test"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_test"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_voicemail"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_voicemail"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_NA"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_NA"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_report"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_report"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_general"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_general"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_frontdesk"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_frontdesk"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_tech"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_tech"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_support"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_support"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_security"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_security"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_host"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_host"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_store"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_store"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_library"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_library"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_client"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_client"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_dot"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_dot"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
edit "SSL_LOGIN_FAIL_USER"
set description "SSL_VPN_Block"
set status enable
set trigger "SSL_LOGIN_FAIL_USER"
config actions
edit 1
set action "Block_SSL_Failed"
set required enable
next
edit 2
set action "SSL_VPN_Block"
set required enable
next
end
next
end
Next we have the address objects we need. we will define the address range allowed by the SSL VPN tunnel under the object name of SSLVPN_TUNNEL_ADDR1
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
Next we create the address objects for the IP addresses assigned to the loop back interface
edit "WAN_to_LOOPBACK address"
set type interface-subnet
set subnet 10.10.20.1 255.255.255.255
set interface "WAN_to_LOOPBACK"
next
end
config firewall address6
edit "SSLVPN_TUNNEL_IPv6_ADDR1"
set ip6 fdff:ffff::/120
next
edit "SSL_VPN_address"
set ip6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
next
end
within the file https://raw.githubusercontent.com/wallacebrf/dns/main/SSL_VPN%20Config%20with%20loopback%20and%20auto-block.txt
There are many countries listed which are used to block those countries in the address group below. choose the countries you wish to block and replace the line set member "your_chosen_countries_to_block"
below with the appropriate entries.
config firewall addrgrp
edit "SSL_VPN_Block_Geography"
set member "your_chosen_countries_to_block"
edit "Block_SSL_Failed"
next
end
Next we need to configure our external threat feeds. One is a list of ASNs that we wish to block. The second is a list of addresses that we wish to block, but are part of a large ASN like comcast, ATT, verison etc. we can add the individual addresses to this list so we do not fill our Fortigate with thousands of address objects.
config system external-resource
edit "manual_blocked"
set type address
set resource "https://raw.githubusercontent.com/wallacebrf/dns/main/manual_block_list.txt"
set refresh-rate 60
next
edit "ASN_lists_blocked"
set type address
set resource "https://raw.githubusercontent.com/wallacebrf/dns/main/asn_block1.1.txt"
set refresh-rate 1440
next
end
Next we get to configure the SSL-VPN settings themselves. we need to create a user group. In this case we are making the group SSL-VPN_Admin
. Replace "12345" with the users you wish to allow.
ensure to replace the line set servercert "my_cert"
with your loaded SSL certificate that has already been loaded into the fortiagte.
config user group
edit "SSL-VPN_Admin"
set member "12345"
next
end
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set limit-user-logins enable
set forticlient-download disable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set ipv6-split-tunneling disable
next
edit "web-access"
set limit-user-logins enable
set forticlient-download disable
next
end
config vpn ssl settings
set status enable
set servercert "my_cert"
set idle-timeout 3600
set login-attempt-limit 5
set login-block-time 86400
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 8.8.8.8
set dns-server2 1.1.1.1
set ipv6-dns-server1 2001:4860:4860::8888
set ipv6-dns-server2 2606:4700::1111
set port 443
set header-x-forwarded-for pass
set source-interface "WAN_to_LOOPBACK"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "SSL-VPN_Admin"
set portal "full-access"
next
end
set hsts-include-subdomains enable
set dual-stack-mode enable
end
next we need to create two virtual IPs that will allow us for forward our WAN port 443 to our loop back interface IP address assignments.
ensure the lines set extip xxx.xxx.xxx.xxx
and set extip xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
match your WAN IPv4 and IPv6 addresses respectively. Ensure the line set mappedip xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
is the same IPv6 address we assigned to the loopback interface in line set ip6-address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/128
config firewall vip
edit "WAN_to_LOOPBACK"
set extip xxx.xxx.xxx.xxx
set mappedip "10.10.20.1"
set extintf "wan1"
set portforward enable
set extport 443
set mappedport 443
next
end
config firewall vip6
edit "WAN_to_LOOPBACK"
set extip xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
set mappedip xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
set portforward enable
set extport 443
set mappedport 443
next
end
finally we need to create the required fire wall polices that will allow traffic from the WAN port to travel to the loop back interface.
1.) SSL_VPN_ASN_BLOCKED_IPv6 --> this policy will block all IPv6 traffic from the WAN interface to our loop back interface where the IPv6 address is included in the external threat feed ASN_lists_blocked
2.) SSL_VPN_MANUAL_BLOCKED_IPv6 --> this policy will block all IPv6 traffic from the WAN interface to our loop back interface where the IPv6 address is included in the external threat feed manual_blocked
3.) SSL_VPN_Loopback_IPv6_ONLY --> this policy will ALLOW all other IPv6 traffic that has not already been blocked by our two external threat feeds.
4.) SSL_VPN_BLOCK_GEOGRAPHY_IPv4 --> this policy will block all IPv4 traffic from the WAN interface to our loop back interface where the IPv4 address is from any of our desired blocked countries.
5.) SSL_VPN_Loopback_ISDB_IPv4 --> this policy will block all IPv4 traffic from the WAN interface to our loop back interface where the IPv4 address is contained within our desired Fortigate Internet Service Database (ISDB) lists.
6.) SSL_VPN_ASN_BLOCKED_IPv4 --> this policy will block all IPv4 traffic from the WAN interface to our loop back interface where the IPv4 address is included in the external threat feed ASN_lists_blocked
7.) SSL_VPN_MANUAL_BLOCKED_IPv4 --> this policy will block all IPv4 traffic from the WAN interface to our loop back interface where the IPv4 address is included in the external threat feed manual_blocked
8.) SSL_VPN_ALLOWED_IPv4 --> This policy will ALLOW all IPv4 traffic from the WAN interface to our loop back interface where the IPv4 address has not already been blocked by the ASN, manual block, ISDB, and geo-blocks.
config firewall policy
edit 95
set status enable
set name "SSL_VPN_ASN_BLOCKED_IPv6"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set srcaddr6 "ASN_lists_blocked"
set dstaddr6 "WAN_to_LOOPBACK"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 93
set status enable
set name "SSL_VPN_MANUAL_BLOCKED_IPv6"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set srcaddr6 "manual_blocked"
set dstaddr6 "WAN_to_LOOPBACK"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 89
set status enable
set name "SSL_VPN_Loopback_IPv6_ONLY"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set action accept
set srcaddr6 "all"
set dstaddr6 "WAN_to_LOOPBACK"
set schedule "always"
set service "HTTPS"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "Core_Proxy"
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "Core_high_security"
set logtraffic all
next
edit 90
set status enable
set name "SSL_VPN_BLOCK_GEOGRAPHY_IPv4"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set srcaddr "SSL_VPN_Block_Geography"
set dstaddr "WAN_to_LOOPBACK"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 88
set status enable
set name "SSL_VPN_Loopback_ISDB_IPv4"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set dstaddr "WAN_to_LOOPBACK"
set internet-service-src enable
set internet-service-src-name "Akamai-Linode.Cloud" "Alibaba-Alibaba.Cloud" "Amazon-Amazon.SES" "Amazon-AWS" "Amazon-AWS.GovCloud.US" "Atlassian-Atlassian.Cloud" "BinaryEdge-Scanner" "Botnet-C&C.Server" "Bunny.net-CDN" "Cisco-Meraki.Cloud" "Cloudflare-CDN" "CriminalIP-Scanner" "Cyber.Casa-Scanner" "Datadog-Datadog" "Extreme-Extreme.Cloud" "Five9-Five9" "Google-Google.Bot" "GTHost-Dedicated.Instant.Servers" "Hetzner-Hetzner.Hosting.Service" "Hosting-Bulletproof.Hosting" "Hurricane.Electric-Hurricane.Electric.Internet.Services" "Imperva-Imperva.Cloud.WAF" "Ingenuity-Ingenuity.Cloud.Service" "Internet.Census.Group-Scanner" "Malicious-Malicious.Server" "Medianova-CDN" "Microsoft-Bing.Bot" "NetScout-Scanner" "NodePing-NodePing.Probe" "Okta-Okta" "Phishing-Phishing.Server" "Proxy-Proxy.Server" "Qualys-Qualys.Cloud.Platform" "Shodan-Scanner" "Skyhigh.Security-Secure.Web.Gateway" "SolarWinds-Pingdom.Probe" "SolarWinds-SolarWinds.RMM" "SolarWinds-SpamExperts" "Stark.Industries-Stark.Industries.Hosting.Service" "StatusCake-StatusCake.Monitor" "Stretchoid-Scanner" "Tenable-Tenable.io.Cloud.Scanner" "Tor-Exit.Node" "Tor-Relay.Node" "VPN-Anonymous.VPN" "8X8-8X8.Cloud" "Adobe-Adobe.Sign" "Akamai-CDN" "Apple-APNs" "Atlassian-Atlassian.Notification" "Azion-Azion.Platform" "CacheFly-CDN" "Cato-Cato.Cloud" "CDN77-CDN" "Censys-Scanner" "Cisco-Secure.Endpoint" "ColoCrossing-ColoCrossing.Hosting.Service" "DigitalOcean-DigitalOcean.Platform" "Edgio-CDN" "Fastly-CDN" "GCore.Labs-CDN" "Gigas-Gigas.Cloud" "GitHub-GitHub" "Google-Gmail" "Google-Google.Cloud" "INAP-INAP" "InterneTTL-Scanner" "Jamf-Jamf.Cloud" "Kakao-Kakao.Services" "LaunchDarkly-LaunchDarkly.Platform" "LeakIX-Scanner" "Microsoft-Azure" "Microsoft-Azure.AD" "Microsoft-Azure.Data.Factory" "Microsoft-Azure.Monitor" "Microsoft-Azure.Power.BI" "Microsoft-Azure.SQL" "Microsoft-Azure.Virtual.Desktop" "Microsoft-Dynamics" "Microsoft-Office365.Published" "Microsoft-Office365.Published.Allow" "Microsoft-Office365.Published.Optimize" "Microsoft-Office365.Published.USGOV" "Microsoft-Outlook" "Microsoft-Skype_Teams" "Microsoft-Teams.Published.Worldwide.Allow" "Microsoft-Teams.Published.Worldwide.Optimize" "Microsoft-WNS" "Mimecast-Mimecast" "NetDocuments-NetDocuments.Platform" "Netskope-Netskope.Cloud" "Neustar-UltraDNS.Probes" "NewRelic-Synthetic.Monitor" "Nice-CXone" "Oracle-Oracle.Cloud" "OVHcloud-OVHcloud" "Paylocity-Paylocity" "Performive-Performive.Cloud" "Recyber-Scanner" "RedShield-RedShield.Cloud" "Salesforce-Email.Relay" "SAP-SAP.Ariba" "Sendgrid-Sendgrid.Email" "SentinelOne-SentinelOne.Cloud" "Shadowserver-Scanner" "Shopify-Shopify" "Sinch-Mailgun" "Slack-Slack" "Spam-Spamming.Server" "StackPath-CDN" "Tencent-VooV.Meeting" "Twilio-Elastic.SIP.Trunking" "UK.NCSC-Scanner" "UptimeRobot-UptimeRobot.Monitor" "VadeSecure-VadeSecure.Cloud" "Veritas-Enterprise.Vault.Cloud" "Vonage-Vonage.Contact.Center" "Voximplant-Voximplant.Platform" "xMatters-xMatters.Platform" "Zendesk-Zendesk.Suite" "Zoho-Site24x7.Monitor" "Zoom.us-Zoom.Meeting"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 96
set status enable
set name "SSL_VPN_ASN_BLOCKED_IPv4"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set srcaddr "ASN_lists_blocked"
set dstaddr "WAN_to_LOOPBACK"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 91
set status enable
set name "SSL_VPN_AUTO_BLOCK_IPv4"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set srcaddr "Block_SSL_Failed"
set dstaddr "WAN_to_LOOPBACK"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 92
set status enable
set name "SSL_VPN_MANUAL_BLOCKED_IPv4"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set srcaddr "manual_blocked"
set dstaddr "WAN_to_LOOPBACK"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 94
set status enable
set name "SSL_VPN_ALLOWED_IPv4"
set srcintf "wan1"
set dstintf "WAN_to_LOOPBACK"
set action accept
set srcaddr "all"
set dstaddr "WAN_to_LOOPBACK"
set schedule "always"
set service "HTTPS"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "Core_Proxy"
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "Core_high_security"
set logtraffic all
next
end
I have shifted away from SSL-VPN on the fortigate platform due to security vulnerabilities and the fact that Fortinet is in the process of removing SSL-VPN support from all desktop models and all models with 2GB of RAM. My FG-91G, while having 4GB of RAM is still considered a desktop model and will eventually cease to support SSL VPN.
in the link below is my entire IPsec configuration.
https://github.com/wallacebrf/dns/blob/main/IPsec%20Configuration.txt
the configuration listens ONLY on my IPv6 address on my WAN. I did this because I use a VPS server to access my systems due to my IPv4 address being behind CGNAT. I can connect to the VPS server's IPv4 address which forwards the traffic using SOCAT to my WAN IPv6 address. If you wish to use your WAN's IPv4 address, under config vpn ipsec phase1-interface
remove the line set ip-version 6
this configuration, even though it is through the IPv6 WAN address will assign BOTH a IPv4 and IPv6 dual stack IP address to your device.
The configuration uses a local in policy to allow ONLY addresses in the United States.